No End to the Headaches Endpoints Give System Defenders

"What we need in the endpoint security space are solutions that deliver security and user freedom -- controls that empower the user to interact with untrusted content but mitigate any risk introduced as a result," said Invincea CEO Anup Ghosh. "[They] have to work well with the entire defense in-depth strategy, can't add further burden to already-burdened machines, and should change the paradigm."

By John P. Mello Jr.
09/03/13 4:33 PM PT

If there's one attack surface that's attracting growing attention from digital marauders, it's a system's endpoints. With the proliferation of devices accessing corporate networks, securing connections can be a defender's nightmare.

Endpoints have an allure for attackers because they offer multiple attack vectors, such as social engineering attacks, spearphishing, USB infection, and compromise of WiFi networks and routers.

Moreover, combinations of attacks can be packaged into kits that monitor an endpoint's activity and tailor attacks based on available vulnerabilities at the point of attack.

"These types of attacks are very difficult to detect and cannot necessarily be discovered with an endpoint agent," James Kawamoto, director of product management at
Zscaler, told TechNewsWorld.

Innovation Lagging

Hardening endpoints has been problematic. "The endpoint has been left to stagnate in terms of security innovation," Anup Ghosh, CEO of
Invincea, told TechNewsWorld.

"The vast majority of endpoints rely on signature-based defenses to spot malware, and with more than 200,000 new variants of malware released into the wild daily, those technologies are woefully incapable of keeping up," he added.

What's more, tightening security at endpoints can put a crimp in worker productivity.

"For the most part, enterprises are afraid of touching the endpoint because the controls they have at their disposal are either inadequate, and thus don't justify the hassle, or far too restrictive to the end user," Ghosh maintained.

"What we need in the endpoint security space are solutions that deliver security and user freedom -- controls that empower the user to interact with untrusted content but mitigate any risk introduced as a result," he said.

"These controls have to work well with the entire defense in-depth strategy, can't add further burden to already-burdened machines, and should change the paradigm by empowering users as opposed to constraining them," added Ghosh.

Spam Targets Craigslist

Spammers aren't new to Craigslist, but typically they're trying to scrape email addresses from the service, not engaging in elaborate schemes to post spam there. Last week, however, security researchers at Solera Networks, a Blue Coat company, discovered such a ruse.

The dodge starts with malicious links planted on the Internet. They could be on infected Web pages or ads. The links promise to update a browser add-on called "Adobe Photo Loader," which doesn't exist.

Instead of delivering the bogus Adobe program to a computer, the link delivers a Trojan with a specific purpose. It sends spam to Craigslist trying to drum up business for a piece of mobile spyware called "Stealth Nanny."

Although limited in scope at the moment, the Trojan could be reprogrammed at any time by its master.

"The danger is the same from any malicious Trojan in that it could be used to distribute any sort of malware payload," Pickering noted. "So I would say any sort of fraud-generating malware is a likely candidate for spreading via this mechanism."

Repeat Offender

Stanford University has been a repeat offender when it comes to data breaches. It has experienced half a dozen breaches in the last four years, the most recent being last month when all users of the school's computer system were advised to reset their passwords due to an IT breach.

A look at the online security advice the university is giving its users may contain a hint to its porosity problems.

"It's disappointing to read Stanford's guidance on what people should be doing," Dave Jevans, chairman and CTO of
Marble Security, told TechNewsWorld.

For example, the school recommends users follow industry best practices to protect mobile devices.

Another recommendation is to use strong passwords, which may be useful, but stops short of identifying the real problem facing users.

"The bad guys aren't getting in because they're guessing your password. They're getting in because you're giving it to them," Jevans said.

"They're going to send you an email saying they're the IT department and you have to change your password; here's the website to do it," he continued. "Then you click on a link and go to a bad website where you enter your password and they take over your account."

Breach Diary

Aug. 26. Anonymous posts to Internet information gained from its breach of the FBI's Regional Forensics Computer Laboratory, including 19,329 law enforcement email addresses. Action believed to be in retaliation for FBI claim that it had largely dismantled the hacker organization.

Aug. 28. University of Texas Health Science Center at Houston Medical School reports unencrypted laptop computer containing some patient information was discovered missing on Aug. 2 from a locked closet in a physician's orthopedic clinic and begins notifying 596 patients affected by the breach. Laptop contained hand and arm image data from February 2010 to July 13, as well as patient names, birth dates and medical record numbers. No Social Security numbers were on the machine.

Aug. 28. Manager Magazin Online reports that 25 employees of Deutsche Telekom had unauthorized access to personal data on nearly all the company's 120,000 employees in Germany for 11 years. An investigation of the breach is currently under way.

Aug. 28. Valparaiso, Ind., sends out letters notifying 860 users of the city's ambulance service that their personal information has been stolen by an employee of billing company ADP who used some of the information to file fake tax returns and collect refunds.

Aug. 28. Liberty Mutual Insurance Company files lawsuit against St. Louis supermarket chain Schnuck Markets to limit its liability in data breach that compromised the credit card numbers of some 2.4 million of the food retailer's customers.

Aug. 29. Federal regulators and Illinois attorney general's office confirm they are investigating data breach at the Advocate Medical Group that could affect more than 4 million patients seen by the healthcare provider's physicians.

Aug. 29. Federal Trade Commission accuses LabMD, a medical lab in Atlanta, of failing to adequately protect its patients' online records, resulting in leak of Social Security numbers and birth dates of some 9,000 consumers.

Aug. 30. Osprey Packs begins notifying its Osprey Pro customers that their personal information was compromised in an attack of its Pro Deals website. Breach exposed customers' names, billing, shipping and email addresses, phone and credit card numbers with expiration dates. Although a small number of customers have reported to the company that they believe attempts were made to use their credit card information fraudulently, no credit monitoring services have been offered by the firm to customers yet.

Upcoming Security Events

Sept. 10. AT&T Cyber Security Conference. New York Hilton Midtown Hotel, Avenue of the Americas, New York City. Free with registration.